Fears of politically motivated hacking attacks are rampant in Germany following allegations of Russian tampering in this fall's election in the United States and as the country prepares to pick its next chancellor in September. But some German political parties, ministries and international organizations are in certain cases still saving their data onto completely outdated internet servers, thus exposing their data to very high security risks.
Information obtained by SPIEGEL in recent weeks has revealed some striking security holes. Dozens of institutions have been warned, but some of the parties and organizations didn't even act on these warnings, including the right-wing populist Alternative for Germany (AFD) party, the Greens as well as the office of the United Nations in Geneva.
The setups in question are cloud-based storage services similar in nature to Dropbox. The specific security holes are tied to the providers Nextcloud and ownCloud, whose customers can store their data on a dedicated server, but are also required to handle any updates themselves.
The information obtained by SPIEGEL showed some especially striking security vulnerabilities at the AFD, where the server in question is still using software dating back to 2013, the year of the party's founding. A few tricks could suffice for an attacker to access the content on the cloud and also to potentially access other servers used by the party.
AFD and Greens Ignore Warnings
Those responsible for internet security at the AFD did not respond to a warning sent to them at the behest of Federal Office for Information Security (BSI). The party also didn't answer a request for a response sent to them by SPIEGEL on Thursday.
The Green Party also uses very old software that offers numerous vulnerable points for attacks, but they too didn't respond to the warning. Contacted by SPIEGEL, party officials said they soon planned to shut down the setup, which has been used to store election campaign material. The party said the platform "is operated by an external service provider that is also responsible for security." "In that sense, no reaction was necessary from us."
The incidents illustrate how security risks can grow when political organizations act carelessly with their own data. Following the hacking attacks in the U.S. on the Democratic Party and people close to their former presidential candidate Hillary Clinton and the politically motivated publication of the data purloined in those security breaches, consciousness in German politics about the general problem is also growing. Political parties here have begun, for example, to better equip their IT systems. But fundamental security measures are all too often lacking in the daily business of running the parties.
Some Groups Moving Forward with Updates
This can even be a problem for major international organizations. Like the Green Party in Germany, the United Nations Office at Geneva also uses vulnerable software and did not respond to a warning issued by Swiss security agencies. When asked for a response by SPIEGEL, an official at the UN offices wrote, "We immediately understood the risk," and the server in question "has been scheduled for upate."
Nextcloud itself first contacted BSI's Cert emergency team in order to make them aware of the security holes and the agency then began sending out its own warnings at the end of January. SPIEGEL has learned that it was only after these warnings had been sent out that institutions like the German Interior Ministry, the Konrad Adenauer Foundation, the think tank aligned with Chancellor Angela Merkel's Christian Democrats, and the government of the state of North Rhine-Westphalia updated their servers. They had also been using outdated software.
Contacted by SPIEGEL, a spokesperson at BSI spoke of "in some cases critical vulnerabilities." In addition to the risk of the attackers spying on data and using it "for criminal purposes like blackmail," there are also other vulnerabilities. "Other weak points could enable attackers to run arbitrary code on the cloud server, which could also lead to the total compromising of the system and its abuse for further criminal activities." This means that even if the server in question no longer has any sensitive data stored on it, there's still a possibility it could be used to try to seize control of another server.
BSI officials claim that around one in three customers ignore the security warnings that are given to the customer by the provider at the behest of the government agency. The fact that some political parties also ignore the advice may seem normal from a statistical perspective. But officials at BSI are growing increasingly frustrated with the carelessness shown by politicians. Recently, BSI head Arne Schönbohm has repeatedly issued warnings about the threat of politically motivated hacking attacks.
'An Explosive Issue'
The cloud server programs in question -- ownCloud and Nextcloud -- are open-source alternatives to the cloud services of larger providers like Amazon or Dropbox. They are designed for people who want to handle their IT security measures on their own. The problem is that many don't actually follow up and do that.
Nextcloud founder Frank Karlitschek, who also earlier established ownCloud, became the first to ring the alarm. He left ownCloud last year and took a number of employees with him to establish a product that was aimed at being even more secure.
While researching the product versions being used, his employees noticed that many customers were using disturbingly old software in order to store their data on the web. Karlitschek then informed the Cert emergency team at BSI. He says it was clear to him after the politically motivated hacker attacks in the U.S. that this was also "an explosive issue." He then quickly got in touch with the authorities.